Email phishing has long been the hacker’s gold-card of success. One important part of keeping secure is taking additional steps to verify your identity when shopping or banking online, or simply logging in to any online account. One of the most useful tools for an identity check is using 2-Factor Verification (2FA). It provides added steps to verify your identity as part of logging in to an account. It’s been around a while and is a simple and direct way of taking an additional security precaution–until now. Security researches recently discovered a way hackers can get to your of 2FA steps in a way that gives them access to your accounts and you don't even know they were there.

Training and cybersecurity education have helped reduce email phishing attacks, but this latest hack tricks users into providing their passwords by pretending to be that extra 2FA step you count on for online security. Through its trickery, socially engineered phishing campaigns are now more successful than ever. Hackers present a web site designed to be the spitting image of the login page you expect to see for your account. But rather than just crafting the website to look like your legitimate site, a bypass tool being called Modlishka actually pulls the real content from the actual website so that it’s identical to what you expect. That’s the scary part. Then, through a series of bogus transactions designed to appear to be what it’s not, users don’t realize their 2FA has been compromised. Once they hackers get what they want, they pass you on to your intended website.

Although 2FA doesn’t guarantee safety from phishing hacks, as this instance demonstrates, it still gives a second layer of comfort toward that end. It should always be used when it’s provided as an option for your online accounts.

To counteract 2FA compromise, there’s a more secure version Multi-Factor Authentication (MFA), the latest and greatest log in security tool. Especially important for high-security logins (think nuclear power plants and government accounts), MFA combines three or more ways to verify your identity. According to Techopedia, MFA uses three foolproof means of identification as follows:

Something to confirm the user’s physical security, such as an employee ID card;

Something to confirm the user’s knowledge of the account, such as a PIN or password;

For those of us without high security jobs, start with the basics like strong passwords that are regularly changed. And always keep a sharp eye out for attempted phishing attacks. Though they are now finding their way into your accounts in sneakier ways, there still are ways to identify them and as with Modlishka, they start with a phishing email that appear to be from someone you know, such as your financial institution:

If you are not expecting links or attachments in an email or text, don’t click them.

If you notice typos, misspellings, or incorrect grammar, be very suspicious.

If they email states something that tries to “scare” you into taking quick action, immediately stop and think first. Then, contact the sender independently before clicking. The financial institution or retailer will appreciate being alerted to nefarious activity involving them. If it is legitimate, they will let you know that too.

Do a quick check of the URLs for important websites before entering personal information. Be 100% certain it’s where you want to be.

Before clicking anything you’re not certain about, do an independent verification by calling the sender before clicking. Be sure to use a number from a website you know is the right one or that you already have saved. Don’t use information sent in the email.

If any website offers 2FA or MFA, don’t hesitate to use it. Although they may not be the absolute security guarantee you hope for, any additional verification steps are always recommended.

Financial institutions and hacking go hand-in-hand these days and keeping your bank account and credit from being the next victim is more important than ever. The safest approach, although the least favorite, is assuming that if your data hasn’t yet been hacked that at some point it will be. Hacking banks and their account holders is the most direct cash infusion a hacker can get…and they know it. According to Kaspersky Lab, attacks on ATMs alone hit an all-time high in 2017 with malware-as-a-service (MAAS) opportunities. With this service, even hacking “hacks” who have no cybercrime experience can watch an instructional “how to” video on how to target an ATM successfully. With all the relentless email phishing attacks and step-by-step advice on hacking, guarding our finances with common sense protection is something we all need to do. It all starts by being proactive with your accounts.

Password security. It’s time to put passion into passwords! Assuming your account will at some point be breached, there’s no reason to make it easier for hackers to break your passwords. Every account deserves a unique password that is eight characters or longer and is a combination of numbers, upper and lowercase letters, and symbols. Try to create a sequence with meaning to make it easier to remember, though not easy to guess or dictionary words. If necessary, write the passwords down. Remember not to leave your written passwords somewhere they are easily found by others.

Always use two-factor authentication (2FA) or as also referred to, multi-factor authentication (MFA). In the wake of massive financial hacking, most banks and social media provide 2FA as a second security step and can be easily set-up with accounts. When logging into an account, the bank sends a security code to your phone. To complete the login process, the code is needed as the second verification. It’s a great and easily added security layer, with the idea being that even if a hacker cracks your password, unless they have your phone, they’ll never get the 2FA needed to login.

Check your accounts often. No more waiting for your monthly statements. With easy online access, keeping tabs on the financial comings-and-goings is an easy way to spot suspicious transactions. Should anything look questionable, it’s much more effective to alert your bank or provider immediately. Taking fast, proactive steps can prevent further damage to your account should it be breached.

When using ATMS, take a quick look to ensure there isn't a skimming device attached to it. If there is, don't use it and report it to the financial institution. Also, make sure you use ATMs in well-lit areas and where there is plenty of traffic. Hidden ones or those in dark areas are easier targets for ATM scammers.

Of course, always be on the lookout for phishing scams. These are still common and frequent and are getting more difficult to detect all the time. If you are not expecting a link or attachment, regardless of the sender, just don't click it.

Keep tabs on your credit reports. The big three credit bureaus–TransUnion, Equifax, and Experian allow a free credit report annually, so take advantage of getting one free every four months. Doing so allows you to see what’s going on in the background with your credit, and quickly report any nefarious credit-oriented movement.

Finally, don’t be afraid to freeze your credit. By law, the big three credit bureaus now must offer free credit freezing and un-freezing. Should you spot something suspicious with your credit, a quick freeze can prevent a whole lot of financial heartache by keeping hackers from doing further damage. Just remember that frozen credit prevents access to your reports for anyone, including you.

Social engineering is a broad term. It can encompass anything from an attacker pretending to be a printer repair person who convinces someone to let him into the office to very specialized targeted methodologies such as cyberstalking. The latter can lead to very effective spear-phishing and appears to be how a recently found malware is deployed. The malware, called CamuBot camouflages itself as legitimate security software and targets companies and public sector organizations. It is distributed in a highly individualized way and researchers at IBM believe information is gathered on very specific targets that are in the bullseye of the bad actors; even from information that may be found in a phone book!

What CamuBot does is pose as an employee of a bank, for example, via the telephone and instruct the victims to go to a URL to “verify” their security products. Then, the victims are asked to apply updates. After that they are instructed to close all programs that are running at the time and download and install an “update.” If this all goes to the attacker’s plan, the malware has access to the Windows administrator profile...and that is never a good thing.

Another tricky part is that the attacker’s use the organization’s actual logos and the name of the file that is downloaded during this process is different every time. This makes it difficult to detect with security tools or with the human eye. They also make it seem more authentic by using the telephone. It’s a bit of a more personal connection. After the malware is installed, the victims are asked to log into a fake site, which looks very real, to what they think is their business banking account. At that point, those credentials are lifted by the attacker and that's all the crimals need as CamuBot can get around two-factor authentication.

There is even more to this process that includes the victim being tricked into giving remote access to who they think is a bank employee.

To avoid this, consider what you post on social media and business networking websites, such as LinkedIn. While phone books are a rarity in the U.S., people put a lot of information online that an attacker could use in such a campaign as this one. Try using more generic terminology so that it is more difficult for someone who may want to conduct phishing to use the information against you or your organization.

Also, keep anti-virus software updated at all times. Although malware sometimes does bypass it, this is still a great way to block most of it. Just be sure to have a legitimate product and if you are asked to update anything on your work devices, verify separately with your manager before doing anything. This is particularly important if you receive an incoming call. To reach technical support or other assistance, use phone numbers and email addresses that you know are trusted. Phishing email messages often list a phone number where you can get “help,” but that just sends you right to the attackers.

CamuBot is very sophisticated. Fortunately, it hasn’t been seen in the U.S... yet. It does resemble some familiar names, however: TrickBot, Dridex, and QakBot. And you can bet that it will show up on the shores at some point. Likely, some form of it will show up sooner than later.

You hear about phishing all the time. Unfortunately, no matter how often we hear that term and about what it involves, there is still a large portion of people that fall victim to it. In fact, a recent report by Baker Hostetler found that people falling victim to phishing is, for the third year in a row, the leading cause of data security events. So, if we hear about it so much, why do we still keep getting hooked?

One explanation is that we really don’t know what it is. Well, then we will tell you.

It’s a type of social engineering that tricks someone into performing a task, such as clicking a link or attachment in email that turns out to either be malicious or request sensitive information, usually unbeknownst to the user. Very often (though certainly not always), the information requested includes online banking credentials or login information from some significant site, such as PayPal. They often will seem to be coming from a reputable source, such as your financial institution, a large technology company, a delivery organization (such as FedEx), or a vendor or partner of your organization. Sometimes they come from completely unknown senders. There is no template or standard anymore, so it's always important to be aware that at any given time, someone could be trying to hook you.

It's also important to note that those perpetrating phishing attacks are always shifting tactics. They are coming up with new ways all the time. They also are not limiting phishing to email. They also are using text messaging (smishing) and the telephone (vishing) more and more.

Whoever may send the message, there are some clues to identifying these phishing hooks:

There is a generic greeting. It’s addressed to a group or just “Member,” for instance.

It comes from an unknown sender and includes a link or attachment.

There is a button making it easy to login to “your account.” Often they claim you need to verify details.

There is a request for sensitive information that you normally would not provide.

It attempts to convey a sense of urgency, claiming something “bad” will happen if you don’t click or respond right away.

There are typos or it just isn’t written professionally.

It comes from someone you know, includes links or attachments, but is unexpected or seems generic or strange.

How to avoid ending up as today’s catch:

Just don’t click links or attachments in email unless you are 100% sure they are safe and intended to be sent.

Keep security software updated at all times.

Use multi-factor authentication (MFA) when it’s available for any account.

Don’t send sensitive information in email. It just isn’t safe in most cases.

Log into your accounts directly using pre-saved links or using addresses you know are secure if you need to verify account details. Don’t click buttons or links to do this.

Respond with questions by finding a phone number off the organization’s website. Don’t call one provided in email or hit the reply button.

By following these tips and trusting your sixth sense, you can often avoid becoming the attacker’s next catch.

Successful Phishing at FS-ISAC May Have Been Prevented With Awareness Training

Published April 15, 2018

The importance of awareness training in cybersecurity in any organization cannot be over-emphasized. Really. And even if you do provide this to employees or even if you receive it as an employee, a recent incident stresses again how no matter how many perimeter security tools are implemented, it takes just one person to click on a malicious email to break through that security infrastructure.

The industry forum that financial services organizations use to share data and critical cybersecurity threats within the financial services industry, the Financial Services Information Sharing and Analysis Center (FS-ISAC) experienced a successful phishing attack against its members when an employee clicked on an email and unwittingly gave up email credentials to a bad actor. The attachment was in PDF format with a link where credentials are harvested. From there, the credentials were used to send more malicious email to some members, affiliates, and other employees.

While FS-ISAC is in the midst of implementing a multi-factor solution for email, this particular person had not had it completed for email. What that would have prevented, ideally, is an email going out to others that looked like it came from that legitimate employee. With the MFA solution implemented, the messages would not have been sent without the second layer of security being completed, which the hacker would unlikely have had.

You see, phishers and all hacking types really do count on a level of trust between sender and recipient to be successful. If you see a message from a colleague, you are more likely trust that any links or attachments in it are safe. Unfortunately, this and many other examples show how this is no longer the case. It’s important now to be inquisitive about any information that comes in email, regardless of who sends it, before acting or providing confidential or sensitive information. This person could have prevented this by simply picking up the phone and calling a manager or the IT department to verify that it was necessary to enter login credentials into that site.

No customer data was accessed, according the FS-ISAC, but it’s clear that additional awareness training that is conducted on a continual basis cannot be discounted. Threats are always changing and it’s to any organization’s benefit to do this so that everyone who connects to the network will be aware and help prevent attacks.

There are common tactics phishers use to fool employees into opening harmful links, downloading malicious files, and providing passwords and other data that can seriously harm a business. Phishers prey on human emotion and error to achieve their goals. Cybersecurity professionals agree that employee education is a crucial component of cybersecurity. They feel it’s just as important as a company’s data security system. Below are some of the most common phishing tactics toward personnel and how to avoid being hooked, according to Tripwire.

1. The Lure: Deceptive Phishing

Beware emails claiming to be from a vendor or service provider. They frequently use subject headings and content with a focus on urgent business matters that require your input. They ask an employee to provide personal information and/or login to a bogus web page that steals their data.

How to Avoid the Hook:

Look for generic information in the email that is not specific to you. Phisher’s cast a wide net geared toward catching as many employees as possible and therefore avoid being specific. From the IRS to service providers, any legitimate company will not ask for sensitive information in an email or provide a link to a web page requesting it.

2. The Lure: Spear Phishing

This one is more sophisticated and can be tricky to spot. Phishers glean specific information about you from social media and other public postings and they’re not afraid to use it. Data used from previous breaches is quickly becoming the most vaulable information available. The more specific information a criminal knows about you, the more likely they can produce an inticing email. This is how criminals weaponize data. Data about you is just information, but turning that information into a malware delivery system changes the data into a weapon. Finally, custom domains are often used to make the email that much more credible. So the email may look like a PayPal email, but the email address is slightly off.

Can you spot the fake email address?

support@paypaI.com or support@paypal.com.

The first address is the fake... it has a capital 'i' where the lower case 'L' should be. This is an extream example, but there are 1,000s of attacks every day with this type of deception.

How to Avoid the Hook:

Avoid posting personal information anywhere on the web. Social media and other sites are trolled by phishers looking for an effective hook and they count on unsuspecting users. Practice common sense password security for every site that you log onto. Most importantly, Verify every unexpected link and attachment with a phone call or seperate email before clicking.

3. The Lure: CEO Fraud

Phishers assume the identity of the head of the company as the sender. Subjects and text require those in certain positions to provide financial actions such as payment to a bogus vendor.

How to Avoid the Hook:

Don’t hesitate to verify the boss’s email request, especially if it seems out of place. A quick phone call can avoid financial hacks, and overall, CEO’s would rather be safe with a phone call than sorry without one.

4. The Lure: Pharming

Phishers also use fake websites to gain your trust and information. They steal a company’s domain name and URL address to appear legitimate, usually providing a link to a well-crafted fake site that’s ready to heist your data.

How to Avoid the Hook:

Even the slightest doubt about a website should be verified. One quick way is to check the sites security certificate–legitimate sites always have one. First, make sure the lock icon appears to the left of the URL. Clicking on it will let you see the certificate status and view the details if you like. If a certificate isn’t present or is invalid, get out quickly and report your experience to the appropriate person or department.

5. Problem: Phishing for File Sharing

File sharing apps for business are an effective tool for stealing login credentials and downloading malware-infected files. Employees receive emails appearing to be ordinary requests for actions involving file sharing. When they act, phishers are waiting to pounce.

How to Avoid the Hook:

Check those emails carefully and look for grammatical errors and misspellings and always be aware of the service you are entering. Use encryption keys for login verification. If that’s not available, enable two-step verification. Any action toward verifying login information can help thwart a phisher’s goal.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.